Device discovery across VLANs?

scottlindner

I have two VLANs setup to isolate trusted and untrusted traffic, Basically guests and IoT that only need Internet access all go on untrusted which doesn't have access to the firewall, switch, NAS, printer. I keep swapping my phone from VLANs because I want to discover the Alexa devices in the Spotify app, and then bounce back to the trusted VLAN for a few other reasons. Is there a way for the trusted VLAN to discover devices on the untrusted VLAN? Routing already exists. I can ping, SSH and HTTP/S to any untrusted device from a trusted device. Unfortunately I know just enough to realize it is a networking/firewall issue between VLANs but not enough to know what isn't happening. Appreciate the the feedback on this.

bmeeks

Most "device discovery" protocols limit themselves to the local network only -- meaning they will not work across different IP subnets. VLANs are different IP subnets.

If your IoT devices use multicast for discovery, then the avahi package might help because it acts as a proxy copying the multicast traffic back and forth between VLANs.

The intrinsic behavior of automatic device discovery protocols is to limit themselves to the local network only. Otherwise, the apps would attempt to find everyone's devices from all over the world, and that would not be very helpful . Everyone who had a badly configured firewall (or worse yet, no firewall) would have their devices replying back to your discovery request. And another issue the discovering device would have is knowing what subnets to go searching for. Would it just try them all? For these reasons device discovery is limited to the local subnet.

johnpoz

@bmeeks said in Device discovery across VLANs?:

attempt to find everyone's devices from all over the world

haha - that would be insane.. You can have problems with amount of multicast and broadcast on a single small little L2 with only a few hundred devices.. Can you picture the insanity if every device on the internet traffic went everywhere ;) hehehehe

bmeeks

@johnpoz said in Device discovery across VLANs?:

@bmeeks said in Device discovery across VLANs?:

attempt to find everyone's devices from all over the world

haha - that would be insane.. You can have problems with amount of multicast and broadcast on a single small little L2 with only a few hundred devices.. Can you picture the insanity if every device on the internet traffic went everywhere ;) hehehehe

Yeah -- that would be a world record DDoS for sure!

scottlindner

@johnpoz and @bmeeks

Yah. I get that for sure, but I do control my own network and can block/allow whatever I want on it. I know in big IT environments they separate all of that to optimize the network. I know there are people that know this a lot better than I do but I do know enough about networking to know that something is either blocking something between my VLANs or something is assuming the subnet and thinking no further. I could do some creative tricks to make a larger subnet that spans both VLANs but devices are still controlled to which VLAN they go on by other means. Right now for WiFi I have two SSIDs one for each VLAN and for Ethernet I have two physical LANs but I don't do anything more than that since this is my house. It's good enough for me. I trust anyone in my house. And I do question sometimes if it's even stupid to bother trying to separating IoT and guests and just use one network like everyone else does, but I also know these IoTs have got to be magnets for attempts to worms.

bmeeks

@scottlindner:
The banter between @johnpoz and me is just for internal humor and not directed at you or your post.

You are 100% correct in your assessment. Security on a home LAN by definition generally has some compromises. We buy widgets for our home networks and install them with the hope they make our lives easier (think smart light bulbs and thermostats), add some entertainment (think music streamers and smart TVs), or perform some rudimentary security function (think Ring doorbells and security cameras). We want to plug these in and have them just "work".

Us IT Security guys tend to bring our work home ... . We want our home LAN to be locked down like the corporate network we mangage. But that does not always work so well at home. If the kids can't watch cartoons on Netflix, or the wife can't watch tear-jerker movies streaming on Prime or has issues using Zoom, then we hear about it loudly! So, I'm with you to a degree. If your home LAN does not contain the secrets to the alien technology stored at Area 51 (I'm exaggerating, not really a conspiracy theorist!), then putting the bulk of your IoT devices on the regular LAN can be okay. I'm talking things like Smart TVs and music streaming gizmos that you want to easily be able to connect with at home using your phone or other devices.

scottlindner

@bmeeks I knew i was professional humor. I work in the broader sense of IT so I know it. I'm an engineer that designs very custom and complex "IT like solutions" for very special customers. Started as a EE doing more EE oriented work for signal type of stuff and slowly morphed into embedded software and into more IT type stuff. But I'm not the guy designing the network stuff, I'm doing more of the new capabilities and cloud architecture type of stuff for scaling, performance, etc. So I know this shit is all there, and I have written many k8s deployments so I do get networking.. but sometimes when I hit the lower level stuff it becomes our IT guys issues to deal with because they are managing the network for reasons that don't exist at home so it stretches my knowledge and experience a bit.

I just tried avahi and it doesn't seem to be doing anything. So it could be how Spotify does discovery is based on the subnet it is on and not some multicast/broadcast protocol of devices. I may have to dig more into what Spotify is doing.

At the same time, I might "trust" IoT devices and just not trust guests. I had one guest abuse my network. He was a jackass IT guy that thought it was funny to try to crack into my firewall within 5 minutes of me giving him my WiFi. He's an ass, but it was a good lesson to have some type of device trust in place.

bmeeks

That would be me -- put my IoT devices on the LAN with my other "stuff" that they need to interact with, but put guest Wi-Fi on a separate VLAN and isolate it from everything but the Internet.

johnpoz

@bmeeks said in Device discovery across VLANs?:

If your home LAN does not contain the secrets to the alien technology stored at Area 51

haha - how did you know I had those ;) The example I use asking home users about their security setups, more related to when they use disk encryption and then forget to back up the keys, and then redo their OS install and wonder why they can't get into their data..

Not like your storing the nuclear launch codes are you?

@scottlindner yeah that was not meant to be towards you - that was more a personal joke between me and bmeeks.. Sorry I prob could of sent that to him directly.. I personally am not a fan of breaking the L2 barrier even on my home network.. But that is me, it has valid use in a home setup sure.. Unless you do have the launch codes for the US Nuclear Arsenal? hehehe

I have a few posts around here about setup and validation of avahi, but depends on what exactly your using for discovery avahi is for mdns, and you need a rule for the multicast address, etc.

Me not being a fan of it, doesn't mean not willing to help others set it up and validate it works. Me personally for like my printer and air print.. You just have to be on that wifi network to use airprint. Easier to just put the printer on that vlan, My PC can just point to its IP to print, no need for discovery anything. And I have nothing else on my network that would even leverage discovery.. Maybe the roku apps on my phone, but if you join my roku wifi network you can discover, and once you discover you don't heed to be on that network any more to use the remote on the phone, etc.